Securityhttp://www.businessinsider.com/category/security
en-usSun, 02 Aug 2015 15:40:16 -0400Sun, 02 Aug 2015 15:40:16 -0400The latest news on Security from Business Insiderhttp://static3.businessinsider.com/assets/images/bilogo-250x36-wide-rev.pngBusiness Insiderhttp://www.businessinsider.com
http://www.businessinsider.com/how-to-make-facebook-as-secure-as-possible-2015-7How to make sure your Facebook is as secure as possible (FB)http://www.businessinsider.com/how-to-make-facebook-as-secure-as-possible-2015-7
Sat, 01 Aug 2015 11:45:30 -0400Jillian D'Onfro
<p>No one wants to deal with the stress and potential damages of having their Facebook&nbsp;account hacked.<span>&nbsp;</span></p>
<p><span>To decrease the likelihood of hacks, as well as the time it takes account holders to find suspicious activity that could be a precursor, Facebook&nbsp;has just launched&nbsp;a handy check-list that all users should take the time to walk through.&nbsp;</span></p>
<h2>Because Facebook just launched security check-up, you'll see it at the top of your profile. You can also find it anytime by <a href="https://www.facebook.com/notes/facebook-security/testing-new-security-checkup/10152796709350766">clicking here</a>:</h2>
<p><span><img src="http://static5.businessinsider.com/image/55ba1b572acae700448b8e41-932-386/security_checkup_start_png.png" alt="Security FB" data-mce-source="Facebook" /></span></p>
<h2><span>Enhancing your security is super easy &mdash; there are&nbsp;only three steps! &mdash; so all users should take the time to walk through the list:</span></h2>
<p><span><img src="http://static1.businessinsider.com/image/55ba1e6a2acae7c7018bb451-734-300/screen shot 2015-07-30 at 5.21.11 am.png" alt="Fb Security" data-mce-source="Facebook" /></span></p>
<h2><span>First thing you can do is log-out of all the browsers and apps (including those that use your account information as a "social login") that you haven't used recently:</span></h2>
<p><span><img src="http://static2.businessinsider.com/image/55ba1ddf2acae7b7188bb200-845-392/securitytime.png" alt="Fb Security" data-mce-source="Facebook" /></span></p>
<h2><span>Next, set up "login alerts" so that you'll know whenever someone logs into your account from a new device or browser. You can choose to receive email or text notifications:</span></h2>
<p><span><img src="http://static5.businessinsider.com/image/55ba1b562acae78a008bb72a-808-261/2security_checkup_login_alerts_png.png" alt="Security FB" data-mce-source="Facebook" /></span></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<h2><span>Take the time to carefully read all the best-practices for a good password. Don't think your current one fits the bill? Take a moment t</span><span>o think of something better and make the change:</span></h2>
<h2><span><img src="http://static3.businessinsider.com/image/55ba1b572acae74c2f8b8f3d-814-326/3security_checkup_passwords_png.png" alt="Security FB" data-mce-source="Facebook" /></span></h2>
<h2><span>And you're all set! In less than ten minutes, your Facebook account is successfully more secure:</span></h2>
<h2><span><img src="http://static3.businessinsider.com/image/55ba1b562acae7f4028bb6d1-874-309/screen shot 2015-07-30 at 5.39.31 am.png" alt="Security FB" data-mce-source="Facebook" /></span></h2><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/facebook-tips-and-tricks-2015-7?op=1" >9 Facebook tips and tricks</a></strong></p>
<p><a href="http://www.businessinsider.com/how-to-make-facebook-as-secure-as-possible-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/iphone-ios-9-new-features-2015-6">The 12 best new features coming to the iPhone</a></p> http://www.businessinsider.com/windows-10s-privacy-settings-are-invasive-and-vague-2015-7Windows 10 is spying on you — at least that’s what this developer thinkshttp://www.businessinsider.com/windows-10s-privacy-settings-are-invasive-and-vague-2015-7
Fri, 31 Jul 2015 08:12:18 -0400Alastair Stevenson
<p><img style="float:right;" src="http://static4.businessinsider.com/image/55bb6798dd0895c81c8b45c6-630-473/spying.jpg" alt="spying" data-mce-source="Flickr/srose15" /></p><p>A prominent web developer has found a number of anomalies in Windows 10's default privacy settings.</p>
<p><a href="https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/" title="I noticed some disturbing privacy defaults in Windows 10">Web developer Jonathan Porta reported uncovering the issues</a> in a blog post on Friday.</p>
<p>His concerns focus on seven key privacy settings that are switched on by default in Windows 10.</p>
<p><strong>The settings allow&nbsp;Windows 10 to:</strong></p>
<ul>
<li><span style="line-height: 1.5em;">&ldquo;Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft.&rdquo;</span></li>
<li><span style="line-height: 1.5em;">&ldquo;Send typing and inking data to Microsoft to improve the recognition and suggestion platform.&rdquo;</span></li>
<li><span style="line-height: 1.5em;">&ldquo;Let Windows and apps request your location, including location history, and send Microsoft and trusted partners some location data to improve location services.&rdquo;</span></li>
<li><span style="line-height: 1.5em;">&ldquo;Send Microsoft and trusted partners some location data to improve location services.&rdquo;</span></li>
<li><span style="line-height: 1.5em;">&ldquo;Use page prediction to improve reading, speed up browsing, and make your overall experience better in Windows browsers.&ldquo;</span></li>
<li><span style="line-height: 1.5em;">&ldquo;Automatically connect to suggested open hotspots. Not all networks are secure.&rdquo;</span></li>
<li><span style="line-height: 1.5em;">&ldquo;Send error and diagnostic information to Microsoft.&rdquo;</span></li>
</ul>
<p>The settings are officially designed to improve <a href="http://uk.businessinsider.com/windows-10-new-features-2015-7" title="The 9 best new features in Windows 10">Windows 10&rsquo;s services, such as the Cortana voice assistant,</a> and tailor the operating system to meet its user&rsquo;s needs.</p>
<p>However, according to Porta, there are two key issues with the settings. First, Porta thinks they are overly vague and do not adequately explain what specific data is being collected.</p>
<p>Second, Porta thinks the settings do not offer enough clarity on which third party companies Windows 10 customers&rsquo; data is being shared with.</p>
<p>Porta says, when the settings are on, Microsoft will have free rein to collect any data it wants and concludes: &ldquo;I might as well relocate my computer to Microsoft headquarters and have the entire company look over my shoulder.&rdquo;</p>
<h2>Time to get the tinfoil hat</h2>
<p>Porta is not alone in his concerns about Windows 10&rsquo;s privacy issues. A conspiracy theory has appeared on the 4chan message board claiming <a href="http://prntscr.com/7ykzbh" title="4Chan conspiracy theory">Windows 10 is actually connecting machines to a surveillance botnet.</a> Botnets are a network of machines that have been enslaved by a hacker.</p>
<p>There is no solid evidence to support the claim. However, Microsoft has been linked to government-sponsored surveillance campaigns in the past.</p>
<p>Documents leaked to the press by whistleblower Edward Snowden showed <a href="http://www.businessinsider.com/how-prism-surveillance-works-2013-6" title="The best explanation yet of how the NSA's PRISM surveillance program works">Microsoft was one of the technology companies the NSA siphoned web user data from during its PRISM campaign.</a> The campaign saw the NSA siphon data from many tech firms including Facebook, Twitter, Google, Yahoo and Apple.</p>
<p>The NSA used special secret court orders to force the companies to give them the data. Microsoft has since publicly campaigned to combat the orders. <a href="https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf" title="A letter to Obama">Microsoft was one of 140 companies to send an open letter to US President Barack Obama</a> urging him to hamper intelligence agencies, such as the NSA&rsquo;s, ability to collect customer data.<img src="http://static4.businessinsider.com/image/55bb6798dd0895c81c8b45c7-1841-1381/plain screen copy.png" alt="Windows 10" data-mce-source="Screenshot" /></p>
<h2>A reality check</h2>
<p>A Microsoft spokesperson moved to downplay the concerns about Windows 10's privacy settings in a statement sent to Business Insider. Microsoft said the data is being collected purely for product improvement purposes.</p>
<p>"To effectively provide Windows as a service, Microsoft collects some performance, diagnostic and usage information that helps keep Windows and apps running properly,&rdquo; said the spokesperson.<br /> <br />&ldquo;Microsoft does not sell this data or use it for advertising purposes. We give a select number of Microsoft employees and third party engineers access to select portions of the information to repair or improve Microsoft products and services.&rdquo;</p>
<p>Trend Micro cyber security consultant Bharat Mistry lent credence to Microsoft's claim telling Business Insider, while the settings are vague, it is unlikely Windows 10 is actually spying on its users.</p>
<p>&ldquo;The settings would suggest that Microsoft is trying to understand user behaviour in more detail &ndash; in terms of sites accessed, the time of day and also from location as well,&rdquo; he said.</p>
<p>&ldquo;Users should be concerned &ndash; [but] just don&rsquo;t accept the defaults!&rdquo;</p>
<p>&nbsp;</p><p><a href="http://www.businessinsider.com/windows-10s-privacy-settings-are-invasive-and-vague-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/us-government-secret-airline-janet-2015-7">There is a secret US government airline that flies out of commercial airports </a></p> http://www.businessinsider.com/how-to-make-facebook-as-secure-as-possible-2015-7How to make sure your Facebook is as secure as possible (FB)http://www.businessinsider.com/how-to-make-facebook-as-secure-as-possible-2015-7
Thu, 30 Jul 2015 08:59:00 -0400Jillian D'Onfro
<p>No one wants to deal with the stress and potential damages of having their Facebook&nbsp;account hacked.<span>&nbsp;</span></p>
<p><span>To decrease the likelihood of hacks, as well as the time it takes account holders to find suspicious activity that could be a precursor, Facebook&nbsp;has just launched&nbsp;a handy check-list that all users should take the time to walk through.&nbsp;</span></p>
<h2>Because Facebook just launched security check-up, you'll see it at the top of your profile. You can also find it anytime by <a href="https://www.facebook.com/notes/facebook-security/testing-new-security-checkup/10152796709350766">clicking here</a>:</h2>
<p><span><img src="http://static5.businessinsider.com/image/55ba1b572acae700448b8e41-932-386/security_checkup_start_png.png" alt="Security FB" data-mce-source="Facebook" /></span></p>
<h2><span>Enhancing your security is super easy &mdash; there are&nbsp;only three steps! &mdash; so all users should take the time to walk through the list:</span></h2>
<p><span><img src="http://static1.businessinsider.com/image/55ba1e6a2acae7c7018bb451-734-300/screen shot 2015-07-30 at 5.21.11 am.png" alt="Fb Security" data-mce-source="Facebook" /></span></p>
<h2><span>First thing you can do is log-out of all the browsers and apps (including those that use your account information as a "social login") that you haven't used recently:</span></h2>
<p><span><img src="http://static2.businessinsider.com/image/55ba1ddf2acae7b7188bb200-845-392/securitytime.png" alt="Fb Security" data-mce-source="Facebook" /></span></p>
<h2><span>Next, set up "login alerts" so that you'll know whenever someone logs into your account from a new device or browser. You can choose to receive email or text notifications:</span></h2>
<p><span><img src="http://static5.businessinsider.com/image/55ba1b562acae78a008bb72a-808-261/2security_checkup_login_alerts_png.png" alt="Security FB" data-mce-source="Facebook" /></span></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<h2><span>Take the time to carefully read all the best-practices for a good password. Don't think your current one fits the bill? Take a moment t</span><span>o think of something better and make the change:</span></h2>
<h2><span><img src="http://static3.businessinsider.com/image/55ba1b572acae74c2f8b8f3d-814-326/3security_checkup_passwords_png.png" alt="Security FB" data-mce-source="Facebook" /></span></h2>
<h2><span>And you're all set! In less than ten minutes, your Facebook account is successfully more secure:</span></h2>
<h2><span><img src="http://static3.businessinsider.com/image/55ba1b562acae7f4028bb6d1-874-309/screen shot 2015-07-30 at 5.39.31 am.png" alt="Security FB" data-mce-source="Facebook" /></span></h2><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/facebook-tips-and-tricks-2015-7?op=1" >9 Facebook tips and tricks</a></strong></p>
<p><a href="http://www.businessinsider.com/how-to-make-facebook-as-secure-as-possible-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/iphone-ios-9-new-features-2015-6">The 12 best new features coming to the iPhone</a></p> http://www.businessinsider.com/how-to-turn-off-windows-10-wi-fi-sense-2015-7How to turn off Windows 10's controversial Wi-Fi sharing featurehttp://www.businessinsider.com/how-to-turn-off-windows-10-wi-fi-sense-2015-7
Wed, 29 Jul 2015 17:30:03 -0400Matt Weinberger
<p><img style="float:right;" src="http://static1.businessinsider.com/image/55a810c5371d22472c8b4f20-945-531/screen shot 2015-07-16 at 4.12.07 pm.png" alt="kids on wifi in car" data-mce-source="Vinli" data-link="http://www.vin.li/" /></p><p>Windows 10 comes with a feature called "Wi-Fi Sense" designed to make it easier for your friends to get online at your home or office without your having to give out the password every time.&nbsp;</p>
<p>It's a cool idea. But Wi-Fi Sense has&nbsp;triggered a firestorm among some security experts, who are concerned that it gives hackers one extra weapon in their arsenal.</p>
<p>A lot of the panic seems a little overblown. But if you're extra security conscious, you might want to turn it off.&nbsp;It provides a committed hacker one more easy way to get on to your network, where they might find it easier to get into the devices connected to that network.</p>
<h2><strong>How it works</strong></h2>
<p>The feature actually made its debut on Windows Phone 8.1, but Wi-Fi Sense went largely ignored (<a href="http://www.businessinsider.com/what-windows-phone-got-right-2015-7">along with&nbsp;Windows Phone itself</a>).</p>
<p>The way it&nbsp;works is pretty simple: When you log in to any wireless network, Windows 10 asks if you want to share that password with your friends (including Facebook friends, Skype contacts, and anyone in your Outlook rolodex).</p>
<p>Then, when those friends are within range of that network, Windows 10 jumps to life with that saved password you just shared and logs them in automatically. It means not having to read "Bus1n3zz1Ns1d3rRu13z" out loud, character by character, when your friends just want to hop on your home Wi-Fi.&nbsp;</p>
<p>Microsoft says it's a security feature, since your friends never actually know what your password is. All the Wi-Fi Sense feature does is give visitors direct access to the Internet, not to the host's computer or other devices &mdash; the same as giving any other visitor&nbsp;your Wi-Fi password.</p>
<p>It's enabled by default in Windows 10, unless you explicitly uncheck it during installation.</p>
<p>Microsoft seems to have thought through the big risks: You control which contacts from which social networks get access to which networks (and if you don't choose any, nothing happens), passwords are encrypted, and those passwords get sent up to a Microsoft server for safe storage, off of the actual device. (You can read a <a href="https://www.windowsphone.com/en-us/how-to/wp8/connectivity/wi-fi-sense-faq">full FAQ about the feature here</a>.)</p>
<p>But there&nbsp;are still opportunities for misuse.</p>
<h2>Misuse</h2>
<p>It's true that those encrypted passwords get shunted up to a Microsoft server for safekeeping, but at some point, they have to come back down to&nbsp;the device (your laptop, tablet, whatever) so Windows 10 can log you in to the network.</p>
<p>Some security experts are concerned that there's a window where an attacker could somehow grab the encrypted Wi-Fi Sense password and decrypt it. And, <a href="http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/">as security researcher Brian Krebs noted recently</a>, people tend to re-use the same passwords for everything, meaning that it could be a way for hackers to harvest more personal data.&nbsp;</p>
<p>There's another possibility, where a malicious attacker could send you&nbsp;an innocuous Facebook friend request and get access to all of your Wi-Fi Sense passwords, giving them access to not only your home network, but all the others that you have the passwords for. That could be&nbsp;a nice "gimmie" to attackers,&nbsp;especially in any&nbsp;workplace with an improperly&nbsp;secured network.</p>
<p>But overall, it seems like concerns over Wi-Fi Sense are overblown. And while it's generally considered a bad thing in security to let unknown parties into your wireless, since it gives bad people one more way into the network, both of these instances seem like unlikely scenarios. Plus, the actual risks to most normal users are close to nil &mdash; this isn't like giving out your Social Security Number or ATM PIN number.</p>
<p>Still, if you're concerned about your home wireless network, Microsoft says you can add "_optout" to the end of the name and make it invisible to Wi-Fi Sense. So a network called "BusinessInsider" would be eligible for Wi-Fi Sense, but a network called "BusinessInsider_optout" would not.</p>
<p>On Windows 10 itself, you want to go to Settings, then Network &amp; Internet, then Wi-Fi, then Manage Wi-Fi Settings.&nbsp;Turn off everything under the Wi-Fi Sense heading and have it forget the networks you share.</p>
<p><img src="http://static5.businessinsider.com/image/55b7af2b2acae7c7018ba8fd-743-785/wifi sense.png" alt="wifi sense windows 10" data-mce-source="Matt Weinberger" data-mce-caption="The Wi-Fi Sense panel in Windows 10" /></p>
<p>&nbsp;</p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/windows-doesnt-matter-to-the-new-microsoft-2015-7" >Windows doesn't matter to the new Microsoft</a></strong></p>
<p><a href="http://www.businessinsider.com/how-to-turn-off-windows-10-wi-fi-sense-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/adderall-add-adhd-amphetamine-drug-effects-body-2015-6">What Adderall is actually doing to your body</a></p> http://www.businessinsider.com/password-security-issue-chrome-2015-7The passwords your web browser saves for you are not safe at allhttp://www.businessinsider.com/password-security-issue-chrome-2015-7
Tue, 28 Jul 2015 11:02:54 -0400Rafi Letzter
<p>It turns out, your saved web passwords are less safe than you might think.</p>
<p>I was having some trouble logging into the Tech Insider content management system to work on a&nbsp;story, and asked one of our development team staff&nbsp;to have a look. He asked if I was sure I had typed in my password correctly. I said I was, but he looked dubious.</p>
<p>He right-clicked the password box, which of course only displayed asterisks (seen below):</p>
<p><img src="http://static4.businessinsider.com/image/55b799a9dd0895a0488b46f1-800-443/password 1.png" alt="Password 1" data-mce-source="Tech Insider" /></p>
<p>He then clicked "Inspect Element," which brought up the site's code:</p>
<p><img src="http://static1.businessinsider.com/image/55b799aadd0895a0488b46f2-799-113/screen shot 2015-07-27 at 2.32.50 pm.png" alt="Screen Shot 2015 07 27 at 2.32.50 PM" data-mce-source="Tech Insider" /></p>
<p>Looks like a mess, right? It is. But look closely and you'll see the string "type="password"". He deleted the word "password" after "type," like so:</p>
<p><img src="http://static1.businessinsider.com/image/55b799aadd0895a0488b46f3-799-113/password security 2.png" alt="password security 2" data-mce-source="Tech Insider" /></p>
<p>That&nbsp;instantly revealed my password in the content entry&nbsp;box:</p>
<p><img src="http://static4.businessinsider.com/image/55b799aadd0895a0488b46f4-800-139/password 2.png" alt="password 2" data-mce-source="Tech Insider" /></p>
<p>"Is that your password?" he asked. It was (I've obviously changed it in the example above).&nbsp;I was stunned &ndash; the whole thing took less than five seconds.</p>
<p>(Note: this method works in Google Chrome. Other browsers will have somewhat different approaches, but I'm not here to provide a training manual on password-snatching.)</p>
<p><img style="float:right;" src="http://static6.businessinsider.com/image/55b799aadd0895a0488b46f5-1094-904/screen shot 2015-07-27 at 2.57.15 pm.png" alt="Facebook hack" data-mce-source="Tech Insider" data-mce-caption="This is what Facebook looks like with the password field revealed." />This trick works on Google, Facebook, Amazon, TD Bank and every other site I've&nbsp;tried.</p>
<p>The danger here is that many people have their passwords saved on their computers, so that password field will auto-populate the minute a page opens.</p>
<p>In a perfect world people would only save passwords on computers with motherboards soldered&nbsp;directly onto the steel walls of bio-locked vacuum chambers, like the one Ethan Hunt here is descending into in the iconic "Mission: Impossible" scene.</p>
<p><img src="http://static4.businessinsider.com/image/55b799aadd0895a0488b46f6-1200-490/mission-impossible-100311964-orig.jpg" alt="mission impossible screenshot" data-mce-source="Paramount" data-mce-caption="Give Tom Cruise a scuba tank though and he is there." /></p>
<p>But how many people actually live that way?</p>
<p>I regularly leave my laptop unattended for short periods in rooms with friends and coworkers. My reasoning is that I trust all of those people individually, and if one of them were tempted to do something nefarious, the risk of my returning to catch them in the act would deter them from trying to log into any of my accounts on my device. And if they did, they probably wouldn't have time to do much more than post an embarrassing Facebook status.</p>
<p><img style="float:right;" src="http://static6.businessinsider.com/image/55b799aadd0895a0488b46f7-549-336/screen shot 2015-07-27 at 2.48.06 pm.png" alt="Amazon password exploit" data-mce-source="Tech Insider" />A trick this quick for learning someone's password entirely changes the game. A person could, with a few taps on a keyboard, learn your password while you're out of the room, and then erase all trace of what they'd done. Then they could access your account from any device, any time, anywhere, without you knowing. Trust me: as someone who once had several of my accounts remotely breached, this is something you definitely want to avoid.</p>
<p>In the short term, you can mitigate this danger by setting up <a href="http://www.businessinsider.com/how-to-turn-on-2-factor-authentication-in-gmail-2014-9">two-step verification</a>&nbsp;on all your accounts, locking your computer every time you step away, and using separate passwords on separate accounts.&nbsp;But in the long term, this seems like an obvious flaw for web developers to address.</p>
<p>I'm <a href="http://lifehacker.com/5946529/easily-reveal-hidden-passwords-in-any-browser">not the first person ​to write</a>&nbsp;about this exploit, and we shouldn't have to wait until <a href="http://www.businessinsider.com/4chan-nude-photo-leak-2014-8">celebrities fall victim</a> to see it fixed.&nbsp;Web security is meant to protect the way people use the internet in the real world, not in an unrealistic "perfect" world.​</p><p><a href="http://www.businessinsider.com/password-security-issue-chrome-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/email-password-security-manager-lastpass-2014-9">How To Make Sure You Never Forget Your Passwords Again</a></p> http://www.businessinsider.com/how-payment-companies-are-trying-to-close-the-massive-hole-in-credit-card-security-2015-3Payments companies are trying to fix the massive credit-card fraud problem with these 5 new security protocolshttp://www.businessinsider.com/how-payment-companies-are-trying-to-close-the-massive-hole-in-credit-card-security-2015-3
Tue, 28 Jul 2015 09:03:00 -0400John Heggestuen
<p><img style="float:right;" src="http://static1.businessinsider.com/image/5506db536da81113074b7c47-400-/bii-annual%20cost%20of%20fraud_3.15.png" alt="BII Annual Cost Of Fraud_3.15" width="400" border="0" /></p><p>There is a massive credit card fraud problem in the US. Fraud cost US retailers approximately $32 billion in 2014, up from $23 billion just one year earlier.&nbsp;<span style="line-height: 1.5em;">Much of the fraud problem is the result of the relatively weak security of credit and debit cards. </span></p>
<p><span style="line-height: 1.5em;">To solve this problem, a new type of credit card with a microchip, called EMV, is being implemented &mdash; but EMV won't be a panacea. It will cause fraud to migrate to other weaker points within the payments ecosystem.</span></p>
<p><span style="line-height: 1.5em;">To solve the card fraud problem across in-store, online and mobile payments, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud.</span></p>
<p>In a&nbsp;<strong><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">report</a></strong>&nbsp;from <strong><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">BI Intelligence</a></strong>, we look at how the dynamics of fraud are shifting across in-store and online channels and explain the top new types of security that are gaining traction across each of these channels, including on Apple Pay.&nbsp;</p>
<h3><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Access the Full Report By Signing Up For A Risk-Free Trial Membership Today &gt;&gt;</a></h3>
<p><strong>Here are some of the key takeaways:</strong></p>
<ul>
<li><strong style="line-height: 1.5em;"><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">EMV cards are being rolled out with an embedded microchip for added security.</a>&nbsp;</strong><span style="line-height: 1.5em;">The microchip carries out real-time risk assessments on a person's card purchase activity based on the card user's profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.</span></li>
<li><strong><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">To bolster security throughout the payments chain encryption of payments data is being widely implemented.</a>&nbsp;</strong>Encryption<strong>&nbsp;</strong>degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.<strong><br /></strong></li>
<li><strong><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Point-to-point encryption is the most tightly defined form of payments encryption.</a>&nbsp;</strong>In this scheme, sensitive payment data is encrypted from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions in stores and online.&nbsp;<strong><br /></strong></li>
<li><strong><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Tokenization increases the security of transactions made online and in stores.</a>&nbsp;</strong>Tokenization schemes assign a random value to payment data,<strong>&nbsp;</strong>making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often "multiuse," meaning merchants don't have to force consumers to re-enter their payment details. Apple Pay uses an emerging form of tokenization.&nbsp;</li>
<li><strong><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">3D Secure is an imperfect answer to user authentication online.</a>&nbsp;</strong>One difficulty in fighting online fraud is that it is hard to tell whether the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data in addition to payment data to complete a transaction online. Merchants who implement 3D Secure risk higher shopping-cart abandonment.</li>
</ul>
<p>In full, the report:</p>
<ul>
<li><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Assesses the fraud cost to US retailers and how that fraud is expected to shift in coming years</a></li>
<li><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Provides 5 high-level explanations of the top payment security protocols</a></li>
<li><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Includes 7 infographics illustrating what the transaction flow looks like when each type of security is implemented.&nbsp;</a></li>
<li><a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">Analyzes the strengths and weakness of each payment security protocol and the reasons why particular protocols are being put in place at different types of merchants.</a></li>
</ul>
<p><strong>To access the full report from BI Intelligence,&nbsp;</strong><strong>sign up for a&nbsp;<span>14-day</span>&nbsp;<a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">trial here</a>. Members also gain access to&nbsp;<a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">new in-depth reports</a>,&nbsp;<a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">hundreds of charts and datasets,</a></strong><strong>&nbsp;as well as&nbsp;<a href="https://intelligence.businessinsider.com/payments-companies-close-the-massive-hole-in-payments-security-2015-3?utm_source=House&amp;utm_medium=Edit&amp;utm_term=P-Psecure-3.16.2015&amp;utm_content=link&amp;utm_campaign=BIIPayments" onclick="this.href = this.href + '-' + window.location.search.substr(1).replace(/\&amp;|\=/g, '-');">daily newsletters</a>&nbsp;on the digital industry</strong><strong>.</strong></p>
<p><strong><img src="http://static6.businessinsider.com/image/5500a4d3ecad04fc31e80f78-1200-900/acquirer side token approval.jpg" alt="Acquirer Side Token Approval" border="0" /><br /></strong></p><p><a href="http://www.businessinsider.com/how-payment-companies-are-trying-to-close-the-massive-hole-in-credit-card-security-2015-3#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/iphone-headphones-tricks-2015-2">14 things you didn't know your iPhone headphones could do</a></p> http://www.businessinsider.com/payment-companies-are-trying-to-close-the-massive-hole-in-credit-card-security-2015-3Payments companies are trying to fix the massive credit-card fraud problem with these 5 new security protocols http://www.businessinsider.com/payment-companies-are-trying-to-close-the-massive-hole-in-credit-card-security-2015-3
Tue, 21 Jul 2015 09:05:00 -0400John Heggestuen
<p><img style="float:right;" src="http://static1.businessinsider.com/image/5506db536da81113074b7c47-600-/bii-annual cost of fraud_3.15.png" border="0" alt="BII Annual Cost Of Fraud_3.15" width="600"></p><p>There is a massive credit card fraud problem in the US. Fraud cost US retailers approximately $32 billion in 2014, up from $23 billion just one year earlier.&nbsp;<span style="line-height: 1.5em;">Much of the fraud problem is the result of the relatively weak security of credit and debit cards. </span></p>
<p><span style="line-height: 1.5em;">To solve this problem, a new type of credit card with a microchip, called EMV, is being implemented — but EMV won't be a panacea. It will cause fraud to migrate to other weaker points within the payments ecosystem.</span></p>
<p><span style="line-height: 1.5em;">To solve the card fraud problem across in-store, online and mobile payments, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud.</span></p>
<p>In a&nbsp;<strong><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">new report</a></strong>&nbsp;from <strong><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">BI Intelligence</a></strong>, we look at how the dynamics of fraud are shifting across in-store and online channels and explain the top new types of security that are gaining traction across each of these channels, including on Apple Pay.&nbsp;</p>
<h3><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Get the full report now &gt;&gt;</a></h3>
<p><strong>Here are some of the key takeaways:</strong></p>
<ul>
<li><strong style="line-height: 1.5em;"><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">EMV cards are being rolled out with an embedded microchip for added security.</a>&nbsp;</strong><span style="line-height: 1.5em;">The microchip carries out real-time risk assessments on a person's card purchase activity based on the card user's profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.</span></li>
<li><strong><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">To bolster security throughout the payments chain encryption of payments data is being widely implemented.</a>&nbsp;</strong>Encryption<strong>&nbsp;</strong>degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.<strong><br></strong></li>
<li><strong><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Point-to-point encryption is the most tightly defined form of payments encryption.</a>&nbsp;</strong>In this scheme, sensitive payment data is encrypted from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions in stores and online.&nbsp;<strong><br></strong></li>
<li><strong><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Tokenization increases the security of transactions made online and in stores.</a>&nbsp;</strong>Tokenization schemes assign a random value to payment data,<strong>&nbsp;</strong>making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often "multiuse," meaning merchants don't have to force consumers to re-enter their payment details. Apple Pay uses an emerging form of tokenization.&nbsp;</li>
<li><strong><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">3D Secure is an imperfect answer to user authentication online.</a>&nbsp;</strong>One difficulty in fighting online fraud is that it is hard to tell whether the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data in addition to payment data to complete a transaction online. Merchants who implement 3D Secure risk higher shopping-cart abandonment.</li>
</ul>
<p>In full, the report:</p>
<ul>
<li><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Assesses the fraud cost to US retailers and how that fraud is expected to shift in coming years</a></li>
<li><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Provides 5 high-level explanations of the top payment security protocols</a></li>
<li><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Includes 7 infographics illustrating what the transaction flow looks like when each type of security is implemented.&nbsp;</a></li>
<li><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;">Analyzes the strengths and weakness of each payment security protocol and the reasons why particular protocols are being put in place at different types of merchants.</a></li>
</ul>
<p><a href="http://www.businessinsider.com/intelligence/research-store?IR=T#!/THE-PAYMENTS-SECURITY-REPORT/p/48309724/category=11987295" target="_blank" onclick="this.href = this.protocol + '//' + this.hostname + this.pathname + this.search + '&amp;' + window.location.search.substr(1)+ this.hash;"><strong>Get the full report now &gt;&gt;</strong></a></p><p><a href="http://www.businessinsider.com/payment-companies-are-trying-to-close-the-massive-hole-in-credit-card-security-2015-3#comments">Join the conversation about this story &#187;</a></p> http://www.businessinsider.com/two-hackers-earned-a-million-miles-for-finding-united-airlines-security-breaches-2015-7Two hackers earned a million miles for finding United Airlines' security breacheshttp://www.businessinsider.com/two-hackers-earned-a-million-miles-for-finding-united-airlines-security-breaches-2015-7
Thu, 16 Jul 2015 23:46:59 -0400Karen Graham
<p class="abstract"><img style="float:right;" src="http://static1.businessinsider.com/image/55a87a0d2acae78b0e8b7567-914-686/6298494626_000950b26a_b.jpg" alt="united airlines plane" data-mce-source="Flickr/aero_icarus" /></p><p>Two hackers have scored it big, getting one million frequent-flier miles each from United Airlines after finding security breaches in the airline's computer systems.</p>
<p>The airline's "bug bounty" award program was started in May and is a first for a <a href="http://threatpost.com/united-airlines-hands-out-million-mile-bug-bounty/113766" target="_blank">transportation company</a>. The "bug Bounty" program used by United is not new and similar programs been used by websites and software developers for a number of years.</p>
<div>Individuals can receive compensation for reporting bugs, especially those that focus on vulnerabilities such as security or vulnerabilities that could be exploitive. The program allows developers to identify and resolve problems in their software before the public becomes aware of them.</div>
<div></div>
<p class="body">Yes, the people receiving the bug bounties are hackers. Known as "white-hat hackers, these hackers are the "good guys. The original <a href="http://en.wikipedia.org/wiki/Bug_bounty_program" target="_blank">"bug bounty" program</a> was the brainchild of Jarrett Ridlinghafer. He came up with the idea while working at Netscape Communications Corporation as a technical support Engineer.</p>
<div></div>
<p class="body">United spokesman Luke Punzenberger said on Thursday that Jordan Wiens, founder of a security company in Florida called Vector 35 is one of two winners of the one million frequent-flier miles prize. Other hackers got smaller prizes. The one million mile prize is enough to cover a bunch of first-class trips to Asia, or up to 20 round-trips in the U.S. CNN News channel says the prize will cover going around the world five times.</p>
<div></div>
<div>Wiens told the<a href="http://threatpost.com/united-airlines-hands-out-million-mile-bug-bounty/113766" target="_blank"> ThreatPost security blog</a> his submission was the first time he had ever submitted to a bug bounty program. &ldquo;There were actually two bugs that I submitted that I was pretty sure were remote code execution, but I also thought they were lame and wasn&rsquo;t sure if they were on parts of the infrastructure that qualified." He added, "My expectation was that they counted, but I figured they&rsquo;d award me 50,000 miles or something smaller.&rdquo;</div>
<div></div>
<p class="body">United Airlines says they <a href="http://www.digitaltrends.com/computing/united-pays-out-its-million-mile-bug-bounty-to-surprised-hacker/#ixzz3g62ajrXN" target="_blank">reward the finding</a> of &ldquo;basic third-party issues affecting its systems with 50,000 miles, exploits that could jeopardize the confidentiality of customer information get 250,000 miles, and major flaws related to remote-code execution earn a maximum of 1,000,000 miles.&rdquo;</p><p><a href="http://www.businessinsider.com/two-hackers-earned-a-million-miles-for-finding-united-airlines-security-breaches-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/when-cc-someone-email-rules-2015-5">Here's exactly when you should 'cc' someone on email</a></p> http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7Some hackers make more than $80,000 a month — here's howhttp://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7
Tue, 14 Jul 2015 12:16:00 -0400Cale Guthrie Weissman
<p><img style="float:right;" src="http://static4.businessinsider.com/image/5532d519eab8ea1f6c81d7e1-600-/rtr4jeyr.jpg" border="0" alt="hackers" width="600"></p><p>It's a known fact that hacking makes money. But how much money? And how do hackers carry out their internal dealings with one another so as not to step on each other's toes?</p>
<p>Much like the fine-tuned systems of mafias and gangs that act almost identically to businesses, hackers have also created their own extremely intricate systems — and the scale of their operations is astounding.</p>
<p>Security researchers have been embedding themselves into these online underbellies to see precisely what's going on. This way they can get an early look at the malware hackers are cooking up, while also learning just how the system works.</p>
<p>The information security company&nbsp;<a href="https://www.trustwave.com/home/">Trustwave</a> has been doing just this for years. It now has a lot to show for it, including discovering how much money a hacking gang makes and how precisely the cybercrime ecosystem works.</p>
<p>Trustwave's&nbsp;<span>VP of Security Research Ziv Mador has put together a presentation he gives to customers so they can get a better handle on how to protect themselves. As he put it, it's just a "glance of what we find."</span></p>
<p><span>But Mador has given Business Insider an exclusive look at the wheeling and dealing of hackers inside this secretive world — check it out below.</span></p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/the-insane-ways-your-offline-devices-can-be-hacked-2015-7" >The insane ways your phone and computer can be hacked — even if they're not connected to the internet </a></strong></p>
<h3>Forums — the online places where cybercriminals sell their goods.</h3>
<img src="http://static3.businessinsider.com/image/55a4320deab8ea20521674b6-400-300/forums--the-online-places-where-cybercriminals-sell-their-goods.jpg" alt="" />
<p><p>Forums are "The Craigslist of the underground forums," explained Mador. "You can see how they advertise malware they would like to sell to each other."</p>
<p>It's where hackers and hacking gangs hawk their goods including trojans, bots, and other malicious pieces of software.&nbsp;</p>
<p>Mador explained that it's "very difficult to get in" to these forums. They require a lot of vetting and trust from other criminals.&nbsp;</p></p>
<br/><br/><h3>Exploit Kits</h3>
<img src="http://static1.businessinsider.com/image/55a4320deab8ea884e1674b6-400-300/exploit-kits.jpg" alt="" />
<p><p>Exploit kits are the bread and butter for how cybercriminals successfully hack the masses.</p>
<p>They are a malicious toolkit of various ways to deliver malware. Or, as Mador puts it, an "invisible web application that uses a cocktail of exploits."</p>
<p>Exploit kits have become preferred by cybercriminals because of their heightened success rate. Before, an average of 10% of users were successfully hacked, but with new and better exploit kits being made the success rate has risen to as much as 40%.&nbsp;</p></p>
<br/><br/><h3>What's in an exploit kit?</h3>
<img src="http://static1.businessinsider.com/image/55a4320deab8ea844e1674b8-400-300/whats-in-an-exploit-kit.jpg" alt="" />
<p><p>Here is a rundown of all the ingredients inside the exploit kit cocktail. These are the various malware cybercriminals have paid for, which they then distributed further to unsuspecting victims.</p></p>
<br/><br/><a href="http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7#a-look-inside-an-actual-online-hacking-gang-4">See the rest of the story at Business Insider</a> http://www.businessinsider.com/facebook-chief-security-officer-calls-for-end-to-adobe-flash-2015-7Facebook's chief security officer follows Steve Jobs' lead and calls for an end to Adobe Flashhttp://www.businessinsider.com/facebook-chief-security-officer-calls-for-end-to-adobe-flash-2015-7
Mon, 13 Jul 2015 10:41:00 -0400Cale Guthrie Weissman
<p class="p1"><img style="float:right;" src="http://static5.businessinsider.com/image/558b3b7c69bedd086c78f4c4-600-/alexstamos.jpg" border="0" alt="Alex Stamos" width="600"></p><p>In 2010, Steve Jobs <a href="https://www.apple.com/hotnews/thoughts-on-flash/">famously wrote</a> a pages-long manifesto about why he would not allow Adobe Flash to work on Apple mobile devices.</p>
<p class="p1">"We don’t want to reduce the reliability and security of our iPhones, iPods, and iPads by adding Flash," the Apple CEO firmly stated.</p>
<p class="p1">Five years later, further clues backing up Jobs' security warning continue to persist. <span style="line-height: 1.5em;">Now, Facebook’s new chief security officer, Alex Stamos, has stated publicly that he wants to see Adobe end Flash once and for all.</span><span style="line-height: 1.5em;"> </span></p>
<p class="p1">On Twitter this weekend Stamos — <a href="http://www.reuters.com/article/2015/06/25/us-facebook-moves-alexstamos-idUSKBN0P50BT20150625">formally of Yahoo, now at Facebook</a> — tweeted the following:<span style="line-height: 1.5em;"> </span></p>
<div><div>
<blockquote class="twitter-tweet" lang="en">
<p>
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day. </p>— Alex Stamos (@alexstamos) <a href="https://twitter.com/mims/statuses/620306643360706561">July 12, 2015</a>
</blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></div>
<p class="embed-spacer"><span style="line-height: 1.5em;">Stamos' call for the end of Flash likely has to do with a great deal of new Flash-related revelations. Following the <a href="http://www.businessinsider.com/hacked-security-companys-document-2015-7">highly-publicized Hacking Team hack</a>, which saw a major surveillance company’s files completely leaked online, a slew of new vulnerabilities <a href="https://helpx.adobe.com/security/products/flash-player/apsa15-04.html">have been disclosed</a> relating to Adobe’s Flash player.</span><span style="line-height: 1.5em;"> </span></p>
<p class="p1">Adobe has patched these issues, but still more vulnerabilities continue to arise. In fact, as soon as Adobe announced it had patched a few issues, more were disclosed — at least 20 were discovered in the last week alone.</p>
<p class="p1">Adobe has been actively working to fix these issues, but Flash seems to be extremely targeted by hackers and it’s likely to not stop. It has been going on <a href="https://securelist.com/blog/incidents/59399/new-flash-player-0-day-cve-2014-0515-used-in-watering-hole-attacks/">for years</a>.</p>
<p class="p1"><img class="float_left" src="http://static4.businessinsider.com/image/51955935eab8eab020000011-349-290/the-adobe-flash-plugin-has-crashed.jpg" border="0" alt="The Adobe Flash plugin has crashed">Security blogger Graham Cluley agrees with Stamos. He <a href="http://www.hotforsecurity.com/blog/facebooks-security-chief-calls-for-adobe-flash-to-be-killed-off-12264.html">writes</a>, "<span>The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure."</span><span style="line-height: 1.5em;"><br></span></p>
<p class="p1">People in this camp believe the answer to be for Adobe to kill off the player, but with ample warning. This is because not only do most major browers support the player, but many smaller companies' entire web programs rely on Flash.</p>
<p class="p1">But once a 'kill-off date' is announced, everyone can transition toward more secure and open options like HTML5. Facebook, for instance, uses both Flash and HTML5, depending on browser preferences.</p>
<p class="p1">Of course, if such a end-of-life date for Adobe Flash were to be announced, it would certainly cause a lot of tumult. Smaller companies and organizations without the resources of Facebook-like behemoths would have to totally rethink their web design.</p>
<p class="p1">But perhaps a clean break with a fair amount of warning is the only way to make for a safer internet. At least that’s what people like Stamos think.</p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/hacking-team-vendor-netragard-apologizes-2015-7" >One company thinks Hacking Team's massive breach may bring about some good </a></strong></p>
<p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/the-insane-ways-your-offline-devices-can-be-hacked-2015-7" >The insane ways your phone and computer can be hacked — even if they're not connected to the internet </a></strong></p>
<p><a href="http://www.businessinsider.com/facebook-chief-security-officer-calls-for-end-to-adobe-flash-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/google-maps-no-service-save-offline-2015-6">How to use Google Maps when you have no phone service</a></p> http://www.businessinsider.com/splash-id-password-management-2015-7There's an easy way remember all the random passwords you always forgethttp://www.businessinsider.com/splash-id-password-management-2015-7
Sun, 12 Jul 2015 11:30:00 -0400Banu Ibrahim
<p><img style="float:right;" src="http://static1.businessinsider.com/image/559bd68a69bedd043afc8f8a-400-300/z-33.jpg" border="0" alt="Z" width="400" height="300"></p><p></p>
<p>By now, hopefully everyone knows that selecting 'password' as your password is not a good idea; it leaves your personal data and financial records vulnerable.</p>
<p>But, listen, anyone can fall victim to cyber theft — regardless of his or her login.</p>
<p>Changing your credentials <a href="http://www.businessinsider.com/most-common-identity-theft-mistake-2014-8">every 3 to 6 months</a>&nbsp;is a solid preventive measure; investing in an encrypted service, like&nbsp;<a href="https://stacksocial.com/sales/splashid-pro-lifetime-plan?aid=a-49y03t13">Splash ID</a>, is another way to make sure your crucial documents stay secure and confidential.&nbsp;Splash ID's&nbsp;<a href="https://stacksocial.com/sales/splashid-pro-lifetime-plan?aid=a-49y03t13">lifetime plan&nbsp;</a>does more than help you keep track of all those passwords you always forget. You also have the option to sync (or not sync) your records with the cloud and WiFi for easy accessibility —&nbsp;to you and you only.</p>
<p><span style="line-height: 1.5em;">Toss the coffee-stained Post-its and bits of scrap paper you have by your computer — and start to take your password management seriously.&nbsp;</span></p>
<p><a href="https://stacksocial.com/sales/splashid-pro-lifetime-plan?aid=a-49y03t13"><strong>SplashID&nbsp;Pro: Lifetime Plan</strong>, $24.99 (originally $100), available at Stack Commerce.</a>&nbsp;<span style="color: #ff0000;">[75% off]</span></p>
<hr>
<p>&nbsp;</p><p><strong>READ THIS:&nbsp;<a href="http://www.businessinsider.com/financial-trading-101-stock-market-2015-7" >Learn your way around the stock market for just $19 </a></strong></p>
<p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/slim-wallet-will-help-you-nix-excess-clutter-2015-7" >This ultra-slim wallet will help you nix excess clutter </a></strong></p>
<p><a href="http://www.businessinsider.com/splash-id-password-management-2015-7#comments">Join the conversation about this story &#187;</a></p> http://www.businessinsider.com/google-to-invest-100-million-in-crowdstrike-2015-7Google is investing $100 million in a security company, CrowdStrikehttp://www.businessinsider.com/google-to-invest-100-million-in-crowdstrike-2015-7
Fri, 10 Jul 2015 17:39:00 -0400Julie Bort
<p><img style="float:right;" src="http://static5.businessinsider.com/image/55a010f269bedd8344f7425b-1200-924/dmitri-alperovitch.jpg" border="0" alt="Dmitri Alperovitch "></p><p>Security startup Crowdstrike is expected to announce a $100 million investment from Google Capital next week, a person close to the company told Business Insider, although this source did not reveal the valuation.</p>
<p>CrowdStrike was founded by two ex-McAfee execs in 2011.&nbsp;</p>
<p>It offers a cloud tool that helps governments and enterprises discover and stop an attack as it it occurring (that can be harder problem to solve than it sounds).</p>
<p>While security companies tend to not talk much about the customers that use their products, CrowdStrike says that its customers include some of the largest blue chip companies in the financial services, as well as companies in energy, oil &amp; gas, telecommunications, retail, and tech and government.</p>
<p><span>Its analysis of the big hack at the government's&nbsp;Office of Personnel Management (OPM) indicated the hack came from Chinese hackers,&nbsp;</span><a href="http://recode.net/2015/07/09/estimate-of-americans-hit-by-government-personnel-data-hack-skyrockets/">Re/Code reported</a><span>.</span></p>
<p><span>CrowdStrike had previously raised $56 million, <a href="https://www.crunchbase.com/organization/crowdstrike">according to Crunchbase</a>.<br></span></p>
<p><span><span>Google Capital is the investment arm of Google itself, and is different from Google Ventures, the company's venture capital firm, which runs largely independently but has Google as its sole limited partner.</span></span></p>
<p>Google had no comment on this story.</p>
<p>&nbsp;</p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/hacker-groups-you-should-be-worrying-about-2014-10" >These are the hacker groups that should be keeping you up at night</a></strong></p>
<p><a href="http://www.businessinsider.com/google-to-invest-100-million-in-crowdstrike-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/google-science-projects-sidewalk-labs-2015-6">Here are all of Google's awesome science projects — that we know about</a></p> http://www.businessinsider.com/hacking-team-vendor-netragard-apologizes-2015-7One company thinks Hacking Team's massive breach may bring about some goodhttp://www.businessinsider.com/hacking-team-vendor-netragard-apologizes-2015-7
Fri, 10 Jul 2015 14:24:00 -0400Cale Guthrie Weissman
<p class="p1"><img style="float:right;" src="http://static1.businessinsider.com/image/55a00274eab8ea8c4ef7425b-462-347/hacking-team-2.png" border="0" alt="Hacking Team"></p><p>The business of hacking is dark and deep, and it’s hard to know who the good guys and bad guys are. The <a href="http://www.businessinsider.com/hacked-security-companys-document-2015-7">recent hack at the surveillance company Hacking Team</a> highlights just that.</p>
<p class="p1">But, with Hacking Team fresh in our mind, this could mark an inflection point for some ingrained cybersecurity practices.</p>
<p class="p1">The Italy-based company, which is known for selling surveillance technology to numerous organizations (many of whom <a href="http://www.businessinsider.com/hacked-security-companys-document-2015-7">have been considered</a> very questionable actors in the international community) recently had its networks hacked. The hacker put all of the company's data into a torrent file. And then, the documents were indexed and put on WikiLeaks for all to search and see.</p>
<p class="p1">In these thousands of Hacking Team documents we can see all of the crazy business the company has done, be it with US companies or foreign governments. And to many this has been deemed detrimental to the many clients that purchased Hacking Team tools.<span style="line-height: 1.5em;"><br></span></p>
<p class="p1">But one security company whose name surfaced in this hack has a very different perspective.</p>
<p class="p1">Netragard is a security company that offers anti-hacking services. Its catchphrase is "We protect you from people like us." The company's services help customers test their own networks for any security vulnerabilities in addition to assessing any risk.</p>
<p class="p1">But Netragard also offers a service called an Exploit Acquisition Program (EAP). An EAP essentially works as an exploit broker, selling to researchers what a hacker has discovered.</p>
<p class="p1">The ethics of EAPs are interesting to say the least. Selling a not-yet-discovered exploit — which is known as a 0-day in the industry — to another entity could be seen as malicious if it gets in the wrong hands. A hacker could use the exploit to cause damage to companies connected to the exploit. But, if 0-day exploits get in the right hands, security researchers can use the information to protect future attacks.</p>
<p class="p3"><span class="s1">And Netragard, according to the company, worked hard to make its EAP as ethical as possible. "</span><span class="s2">Our goal was to provide researchers with safe and trusted place to sell their exploits with the comfort of knowing that their exploits wouldn’t end up in questionable hands</span><span class="s3">," the company wrote in <a href="http://www.netragard.com/the-hackingteam-breach-eap">a new blog post</a> explaining its business with Hacking Team.</span><span style="line-height: 1.5em;">&nbsp;</span></p>
<p class="p5">But with Hacking Team, Netragard made a mistake. The security company sold Hacking Team an exploit for the price of about $100,000. Now, Netragard is apologizing for doing such business. "[Hacking Team’s] <span class="s4">customers are the very same customers that we’ve worked so&nbsp;hard to avoid. &nbsp;It goes without saying that our relationship with them&nbsp;is over and we’ve tightened our vendor vetting process."</span><span style="line-height: 1.5em;"><br></span></p>
<p class="p5">But there is one glimmer of hope, says the company, who is clearing trying to spin these revelations in their favor. Not only is the exploit Netragard sold to Hacking Team useless because it was revealed with this huge breach, but the whole ordeal brings to light how tenuous and oftentimes questionable the market is for such exploits.<span style="line-height: 1.5em;">&nbsp;</span></p>
<p class="p5">In light of this, hopes Netragard, this could bring about some change. It goes so far to call this entire saga a "blessing in disguise" — but it's also hard not to see this as a classic case of PR damage control from a company caught doing business with those it vowed not to.</p>
<p class="p5">T<span style="line-height: 1.5em;">he blog post writes, "</span><span class="s4" style="line-height: 1.5em;">Hacking Team is just one example of why the zero-day&nbsp;exploit market needs to be thoughtfully regulated."</span></p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/hacking-team-reportedly-in-crisis-mode-telling-clients-to-stop-using-its-software-2015-7" >The hacked surveillance company with alleged ties to Russia and the Sudan is reportedly in crisis mode </a></strong></p>
<p><a href="http://www.businessinsider.com/hacking-team-vendor-netragard-apologizes-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/google-maps-no-service-save-offline-2015-6">How to use Google Maps when you have no phone service</a></p> http://www.businessinsider.com/joint-chiefs-nominee-russia-is-the-biggest-threat-to-us-security-2015-7Joint Chiefs nominee: Russia is the biggest threat to US security http://www.businessinsider.com/joint-chiefs-nominee-russia-is-the-biggest-threat-to-us-security-2015-7
Thu, 09 Jul 2015 18:43:06 -0400Deb Riechmann
<p><img style="float:right;" src="http://static1.businessinsider.com/image/559ef89769bedd9e0734f54a-1200-924/joint-chiefs-chairmanmill-2.jpg" border="0" alt="Joint Chiefs Chairman_Mill"></p><p>WASHINGTON (AP) — Russia poses the world's greatest threat to U.S. national security, President Barack Obama's nominee to lead the military's Joint Chiefs of Staff declared on Thursday. The White House quickly distanced the president from that blunt assessment.</p>
<p>Marine Gen. Joseph Dunford told senators at his confirmation hearing, "If you want to talk about a nation that could pose an existential threat to the United States, I'd have to point to Russia. And if you look at their behavior, it's nothing short of alarming."</p>
<p>The four-star general said there are other threats to the nation, which must be addressed in concert. He pointed to China with its expanding military capability and presence in the Pacific, North Korea with its ballistic missile capability and Islamic State militants.</p>
<p>But he said, "My assessment today ... is that Russia presents the greatest threat to our national security."</p>
<p>At the White House, press secretary Josh Earnest distanced Obama from the assessment, saying Dunford's comments reflected his own view and not necessarily "the consensus analysis of the president's national security team."</p>
<p>Yet Earnest said that much has changed since 2012, when Obama mocked his GOP opponent, Mitt Romney, for calling Russia the top U.S. geopolitical threat. Earnest said Russia's destabilizing actions in Ukraine and "saber-rattling" over its nuclear program and military activities near borders with NATO allies have increased U.S. concerns.</p>
<p>Relations between Russia and the West have sunk to post-Cold War lows after Moscow's annexation of Ukraine's Crimean Peninsula and its support for a pro-Russian insurgency in eastern Ukraine. The United States has responded with sanctions, but so far has refrained from providing lethal arms to the Ukrainian forces.</p>
<p>Dunford's comment was exactly what Sen. John McCain, chairman of the Armed Services Committee and a frequent critic of Obama's foreign policy, wanted to hear.</p>
<p>"In Europe, Vladimir Putin's Russia continues its onslaught in Ukraine," said McCain, R-Ariz. "But even as Russian troops and equipment execute this neo-imperial campaign to undermine Ukraine's government and independence, the United States has refused Ukraine the weapons it needs and deserves for its defense."</p>
<p>Dunford agreed with McCain.</p>
<p>"From a military perspective, I think it's reasonable that we provide that support to the Ukrainians," he said. "And frankly, without that kind of support, they're not going to be able to protect themselves against Russian aggression."</p>
<p><img src="http://static2.businessinsider.com/image/559ef8cd6bb3f7760b7d6c84-1200-924/putin-663.jpg" border="0" alt="putin"></p>
<p>The general told the committee that Russia is a nuclear power that not only has the capability to violate the sovereignty of U.S. allies and do things that are inconsistent with U.S. national security interests, but is actually doing so.</p>
<p>However, he also said he thinks it's important to maintain a military-to-military relationship with Russia to improve trust and mitigate the risk of either nation miscalculating the moves of the other.</p>
<p>Dunford, who appeared in the hearing room with his wife and other members of his family, is expected to be confirmed this month.</p>
<p>On another major international issue, Secretary of State John Kerry announced in Vienna — shortly after Dunford testified — that diplomats would miss a midnight Thursday deadline for reaching a nuclear agreement with Iran. The U.S. and its partners are trying to clinch a deal that would restrain Tehran's nuclear program in exchange for relief from economic sanctions.</p>
<p>Dunford said a nuclear-armed Iran would pose a significant national security risk to the U.S., especially if Tehran also had the technology to launch intercontinental ballistic missiles. He said it would be reasonable to assume that Tehran would use revenue from any sanctions relief to further aid Shiite militias in Iraq, the Syrian government of President Bashar Assad and the Houthi rebels in Yemen.</p>
<p>Even if there if is no nuclear deal, Dunford said, Iran will continue to be a "malign influence and the most destabilizing element in the Middle East today."</p>
<p>Under questioning, Dunford said the U.S. has the military capability to destroy Iran's nuclear program. He said that by some estimates, about 500 U.S. troops have been killed because of Iranian activities in Afghanistan.</p>
<p>Also on the subject of Afghanistan, he promised to recommend changes in the size and pace of the troop withdrawal there if security worsens. Dunford, who until last year had been serving as the top U.S. commander in the country, said that if the U.S. force in Afghanistan falls to 1,000 in 2017, the counterterrorism mission there would be significantly degraded and the U.S. would risk losing its eyes and ears along the border with Pakistan.</p>
<p>On Syria, Dunford said the 60 trainees the U.S. has in a program to prepare and arm thousands of moderate rebels in the fight against IS militants is a much lower number than expected at this juncture. He attributed the low number to a rigorous vetting process.</p>
<p>___</p>
<p>Associated Press Writer Josh Lederman contributed to this report.</p><p><a href="http://www.businessinsider.com/joint-chiefs-nominee-russia-is-the-biggest-threat-to-us-security-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/new-air-force-one-tour-boeing-private-jet-2015-5">Take a tour of the $367 million jet that will soon be called Air Force One</a></p> http://www.businessinsider.com/highest-risk-of-identity-theft-2015-7If you've recently done one of these 3 things, you're at a higher risk for having your identity stolenhttp://www.businessinsider.com/highest-risk-of-identity-theft-2015-7
Wed, 08 Jul 2015 17:00:00 -0400Business Insider
<p><img style="float:right;" src="http://static4.businessinsider.com/image/559aa620ecad047a454b5c43-600-/couple-bride-groom-wedding-1.jpg" border="0" alt="couple bride groom wedding" width="600"></p><p>In the past year, have you bought a house, sold a house, gotten married, gotten divorced, had a child, become pregnant, lost your job, or gotten a new one?</p>
<p>If so, you have a higher risk of identity theft.</p>
<p>All of these major life events have one thing in common, according to Paige Hanson, educational programs manager at <a href="http://www.lifelock.com/">Lifelock</a>, the identity-theft-protection company: You're sharing more personal information than you normally would.</p>
<p>Take buying or selling a house, for instance. "Your paperwork passes through the hands of multiple agents and representatives," Hanson explains.</p>
<p>Those documents might include your Social Security number, date of birth, passport number, or copies of your driver's license — all information that can be used to steal your identity.</p>
<p>Homebuyers are nearly three times as likely to be a victim of identity theft as the average person, according to statistics collected by Lifelock, and sellers are almost four times as likely.</p>
<p>You may not be able to avoid giving away that kind of personal information in a real-estate transaction, Hanson says, but it's always worth asking if providing your Social Security number, for instance, is really necessary.</p>
<p>"A lot of people think that just because they've been asked for information, they have to provide it," she says. "Before automatically giving it away, ask why. A lot of times, they won't have an answer. And maybe you'll be encouraging them to change their security standards."</p>
<p>Lifelock's research has found that just about any major life change comes with the danger of identity theft:</p>
<ul>
<li><span>Your risk of getting your identity stolen is 3.5 times higher if you've been married in the past year.</span></li>
<li><span><span>Having a child or becoming pregnant increases the risk of identity theft by 2.7 times.</span></span></li>
<li><span><span><span>Either losing or starting a new job raises your risk of identity theft by 50%.&nbsp;</span></span></span></li>
<li><span><span><span><span>People who have gotten divorced or become separated in the past 12 months are 3.5 times more likely to experience identity theft.&nbsp;</span></span></span></span></li>
</ul>
<p>Often, it's not a data breach that puts your personal information out in the open — it's what you've posted yourself. Engaged couples often include details&nbsp;<span>like where they live or where they're going on honeymoon on their wedding websites, and new parents share their children's full names and birth dates on Facebook. There's also the risk of unintentionally exposing your personal data when you use public Wi-Fi networks to apply for jobs, shop online, or check dating websites. </span></p>
<p><span>So whether it's a form at the doctor's office that asks for your Social Security number or a website that wants to know your birth date, stop and think before you give that information away.&nbsp;</span><span style="line-height: 1.5em;">"People need to take active ownership in protecting themselves," Hanson says.&nbsp;</span></p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/what-to-do-if-you-lose-your-ss-card-2013-3" >How To Prevent Identity Theft If You Lose Your Wallet </a></strong></p>
<p><a href="http://www.businessinsider.com/highest-risk-of-identity-theft-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/barbara-corcoran-keys-relationships-sex-respect-2015-4">'Shark Tank' investor: Personal and professional relationships will thrive with this one key factor</a></p> http://www.businessinsider.com/fbi-chief-wants-backdoor-access-to-encrypted-communications-to-fight-isis-2015-7FBI chief wants 'backdoor access' to encrypted communications to fight ISIShttp://www.businessinsider.com/fbi-chief-wants-backdoor-access-to-encrypted-communications-to-fight-isis-2015-7
Wed, 08 Jul 2015 14:32:35 -0400Spencer Ackerman
<p><img style="float:right;" src="http://static6.businessinsider.com/image/537cdc006bb3f7425157d10e-1200-858/rtr3iv9x.jpg" border="0" alt="James comey fbi"></p><p>The director of the Federal Bureau of Investigation has warned US senators that the threat from the Islamic State merits a “debate” about limiting commercial encryption – the linchpin of digital security – despite a growing chorus of technical experts who say that undermining encryption would prove an enormous boon for hackers, cybercriminals, foreign spies and terrorists.</p>
<p>In a twin pair of appearances before the Senate’s judiciary and intelligence committees on Wednesday, James Comey testified that Isis’s use of end-to-end encryption, whereby the messaging service being used to send information does not have access to the decryption keys of those who receive it, helped the group place a “devil” on the shoulders of potential recruits “saying kill, kill, kill, kill”.</p>
<p>Comey said that while the FBI is thus far disrupting Isis plots, “I cannot see me stopping these indefinitely.” He added: “I am not trying to scare folks.”</p>
<p>Since October, following Apple’s decision to bolster its mobile-device security, Comey has called for a “debate” about inserting “back doors” – or “front doors”, as he prefers to call them – into encryption software, warning that “encryption threatens to lead us all to a very, very dark place”.</p>
<p>But Comey and deputy attorney general Sally Quillian Yates testified that they do not at the moment envision proposing legislation to mandate surreptitious or backdoor access to law enforcement. Both said they did not wish the government to itself hold user encryption keys and preferred to “engage” communications providers for access, though technicians have stated that what Comey and Yates seek is fundamentally incompatible with end-to-end encryption.</p>
<p>Comey, who is not a software engineer, said his response to that was: “Really?” He framed himself as an advocate of commercial encryption to protect personal data who believed that the finest minds of Silicon Valley can invent new modes of encryption that can work for US law enforcement and intelligence agencies without inevitably introducing security flaws.</p>
<p>While the FBI director did not specifically cite which encrypted messaging apps Isis uses, the Guardian reported in December that its grand mufti used WhatsApp to communicate with his former mentor. WhatsApp adopted end-to-end encryption last year.</p>
<p>“I think we need to provide a court-ordered process for obtaining that data,” said Dianne Feinstein, the California Democrat and former intelligence committee chair who represents Silicon Valley.</p>
<p><img src="http://static6.businessinsider.com/image/531bbae46bb3f7c00560aad5-1200-800/ap100503126128.jpg" border="0" alt="FBI agents federal bureau of investigation">But Comey’s campaign against encryption has run into a wall of opposition from digital security experts and engineers. Their response is that there is no technical way to insert a back door into security systems for governments that does not leave the door ajar for anyone – hackers, criminals, foreign intelligence services – to exploit and gain access to enormous treasure troves of user data, including medical records, financial information and much more.</p>
<p>The cybersecurity expert Susan Landau, writing on the prominent blog Lawfare, called Comey’s vision of a security flaw only the US government could exploit “magical thinking”.</p>
<p>Comey is aided in his fight against encryption by two allies, one natural and the other accidental. The natural ally is the National Security Agency director, Michael Rogers, who in February sparred with Yahoo’s chief of information security when the Yahoo official likened the anti-crypto push to “drilling a hole in the windshield”, saying: “I just believe that this is achievable. We’ll have to work our way through it.” The Guardian, thanks to Edward Snowden’s disclosures, revealed in September 2013 that the NSA already undermines encryption.</p>
<p>The less obvious ally is China, whom the FBI blamed last month for stealing a massive hoard of federal personnel data.</p>
<p>In May, China unveiled a national security law calling for “secure and controllable” technologies, something US and foreign companies fear is a prelude to a demand for backdoor entry into companies’ encryption software or outright provision of encryption keys.</p>
<p>Without ever mentioning his own FBI director’s and NSA director’s similar demands, Barack Obama castigated China’s anti-encryption push in March. Obama has also declined to criticize efforts in the UK, the US’s premier foreign ally, to undermine encryption. Prime minister David Cameron is proposing to introduce legislation in the autumn to force companies such as Apple, Google and Microsoft to provide access to encrypted data.</p>
<p>In advance of Comey’s testimony, several of the world’s leading cryptographers, alarmed by the return of a battle they thought won during the 1990s “Crypto Wars”, rejected the effort as pernicious from a security perspective and technologically illiterate.</p>
<p>A paper they released on Tuesday, called “Keys Under Doormats”, said the transatlantic effort to insert backdoors into encryption was “unworkable in practice, raise[s] enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm”.</p>
<p>Kevin Bankston of the New America Foundation called into question the necessity of Comey’s warnings that encryption would lead to law enforcement “going dark” against threats. Bankston, in a Tuesday blogpost, noted that the government’s latest wiretap disclosure found that state and federal governments could not access four encrypted conversations out of 3,554 wiretapped in 2014.</p>
<p>Yet Yates said both that the Justice Department was “increasingly” facing the encryption challenge and that she lacked the data quantifying how serious the challenge was. Yates told the Senate judiciary committee that law enforcement declined to seek warrants in cases of encrypted communications and did not say how often it made such a decision.</p><p><a href="http://www.businessinsider.com/fbi-chief-wants-backdoor-access-to-encrypted-communications-to-fight-isis-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/make-iphone-speakers-louder-2015-7">How to make your iPhone louder using just household items</a></p> http://www.businessinsider.com/splash-id-password-management-2015-7Keep all of your passwords organized and protected for $25http://www.businessinsider.com/splash-id-password-management-2015-7
Wed, 08 Jul 2015 10:00:00 -0400Banu Ibrahim
<p><img style="float:right;" src="http://static1.businessinsider.com/image/559bd68a69bedd043afc8f8a-400-300/z-33.jpg" border="0" alt="Z" width="400" height="300"></p><p></p>
<p>By now, hopefully everyone knows that selecting 'password' as your password is not a good idea; it leaves your personal data and financial records vulnerable.</p>
<p>But, listen, anyone can fall victim to cyber theft — regardless of his or her login.</p>
<p>Changing your credentials <a href="http://www.businessinsider.com/most-common-identity-theft-mistake-2014-8">every 3 to 6 months</a>&nbsp;is a solid preventive measure; investing in an encrypted service, like&nbsp;<a href="https://stacksocial.com/sales/splashid-pro-lifetime-plan?aid=a-49y03t13">Splash ID</a>, is another way to make sure your crucial documents stay secure and confidential.&nbsp;Splash ID's&nbsp;<a href="https://stacksocial.com/sales/splashid-pro-lifetime-plan?aid=a-49y03t13">lifetime plan&nbsp;</a>does more than help you keep track of all those passwords you always forget. You also have the option to sync (or not sync) your records with the cloud and WiFi for easy accessibility —&nbsp;to you and you only.</p>
<p><span style="line-height: 1.5em;">Toss the coffee-stained Post-its and bits of scrap paper you have by your computer — and start to take your password management seriously.&nbsp;</span></p>
<p><a href="https://stacksocial.com/sales/splashid-pro-lifetime-plan?aid=a-49y03t13"><strong>SplashID&nbsp;Pro: Lifetime Plan</strong>, $24.99 (originally $100), available at Stack Commerce.</a>&nbsp;<span style="color: #ff0000;">[75% off]</span></p>
<hr>
<p>&nbsp;</p><p><strong>READ THIS:&nbsp;<a href="http://www.businessinsider.com/financial-trading-101-stock-market-2015-7" >Learn your way around the stock market for just $19 </a></strong></p>
<p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/slim-wallet-will-help-you-nix-excess-clutter-2015-7" >This ultra-slim wallet will help you nix excess clutter </a></strong></p>
<p><a href="http://www.businessinsider.com/splash-id-password-management-2015-7#comments">Join the conversation about this story &#187;</a></p> http://www.businessinsider.com/are-selfies-the-future-of-mobile-payments-2015-7Are selfies the future of mobile payments?http://www.businessinsider.com/are-selfies-the-future-of-mobile-payments-2015-7
Tue, 07 Jul 2015 16:28:40 -0400Nancee Halpin
<p><img style="float:right;" src="https://ci4.googleusercontent.com/proxy/aI-_wm-n08Ssvk-NLmdXJNG9hsoVhLPQK7rxz5JOiDcfimAgxmnH9PC8pOE6bysLpZktuzMwlS035tKJwYAq0279fGy7-VL2HfgNyoGy4SBZImHv6F9Ax0EpBvbkj0kafPh3Ju52aKVtXpbuBtB5wdeETbCm1faC8FVuHA=s0-d-e1-ft#https://static-bii6.businessinsider.com/image/5506dc066da811e00b4b7c48-700/bii-us%20retail%20fraud.png" alt="BII US Retail Fraud" border="0"></p><p>As the e-commerce industry grows, so does the need for secure online payment systems. A common concern among online shoppers, especially in the wireless mobile commerce domain, is sharing personal payment information over the internet. Online merchants have limited ways of confirming a shopper’s identity making them more susceptible to fraud.&nbsp;<a href="http://e.businessinsider.com/558ef6ec2912ffb67b8b52062srdy.eq/VOZefMPobL_bgseHA45c8" target="_blank">As we reported previously</a>, US retailers’ mobile commerce channels faced the highest fraud losses as a percentage of revenue in 2014. Multiple financial services are moving into wireless capabilities, including banking and payments, requiring the same progress of security and identity verification services.&nbsp;</p>
<p dir="ltr"><em>This story was originally sent to thousands of professionals in the E-Commerce industry in this morning's E-COMMERCE INSIDER newsletter. You can join them<strong><a href="http://bii_www.businessinsider.com/welcome/newsletters/?&amp;utm_source=House&amp;utm_term=CtgrPr_ECI-selfie-security-2015-7-7&amp;utm_campaign=CtgrPr_nlsa">&nbsp;-- sign up for a RISK FREE trial now »</a></strong></em></p>
<p>MasterCard wants to usher in the digital age of payments by allowing shoppers to pay for online purchases with a selfie, reports&nbsp;<a href="http://e.businessinsider.com/558ef6ec2912ffb67b8b52062srdy.eq/VZTBk8PoP7lGFJEaA350d" target="_blank">CNN</a>. Rather than remembering a password (that can be hacked or forgotten), users can make online purchases with just the MasterCard mobile app and their face. Here’s how it will work:</p>
<ul>
<li>Download the MasterCard phone app.</li>
<li>Go to the facial recognition option.</li>
<li>Stare at the phone.</li>
<li>Blink once.</li>
</ul>
<p>In an effort to cut down on fraud, MasterCard uses the facial recognition software to create a code based on the user’s face that will stay on the device the app is installed on. The company decided to use blinking as the best way to make sure that someone could not just use a picture of the customer to make unsolicited purchases. Users will also have the option to use a fingerprint scan as verification instead. This new feature is currently in the testing phase and MasterCard looks to launch it to the public this coming fall.</p>
<p>Here are other stories you need to know from today's E-COMMERCE INSIDER:</p>
<ul>
<li><span style="line-height: 1.5em;">SAVVY MILLENNIALS PLAY THE INTERNET FOR BETTER SHOPPING DEALS</span></li>
<li><span style="line-height: 1.5em;">RETAILERS USING HOLIDAY MARKETING TACTICS IN SUMMER MONTHS</span></li>
<li><span style="line-height: 1.5em;">COMPANIES IN THE NEWS</span></li>
</ul>
<p>&nbsp;<em><span id="docs-internal-guid-eaae21d7-6a01-d35a-49d8-ee497c299b9d">Find this article interesting? You can get it delivered to your inbox every weekday morning. Get the jump on your competitors.<strong><a href="http://bii_www.businessinsider.com/welcome/newsletters/?&amp;utm_source=House&amp;utm_term=CtgrPr_ECI-selfie-security-2015-7-7&amp;utm_campaign=CtgrPr_nlsa"> Try it RISK FREE now »</a></strong></span></em></p>
<p>&nbsp;</p><p><a href="http://www.businessinsider.com/are-selfies-the-future-of-mobile-payments-2015-7#comments">Join the conversation about this story &#187;</a></p> http://www.businessinsider.com/cyber-war-us-uk-weaponsThe US government just tested its cyber weapons in a series of war gameshttp://www.businessinsider.com/cyber-war-us-uk-weapons
Mon, 06 Jul 2015 07:13:43 -0400Alastair Stevenson
<p><img style="float:right;" src="http://static2.businessinsider.com/image/559a6303dd0895ac738b45a7-3112-2334/rtx104fy.jpg" alt="A US soldier firing a gun" data-mce-source="Reuters Pictures" data-mce-caption="US future weapons are being developed" /></p><p>The US government live-tested its digital weapons arsenal during <a href="http://www.wsj.com/articles/u-s-agencies-conduct-cyber-war-games-1436069213" title="U.S. Agencies Conduct Cyberwar Games">a three week series of war games</a>, leading to fresh concerns it is preparing for &ldquo;cyber war.&rdquo;</p>
<p>According to The Wall Street Journal the war games involved&nbsp;the Pentagon, Department of Homeland Security (DHS), National Security Agency NSA and an undisclosed number of unnamed &ldquo;UK officials&rdquo; and &ldquo;private companies.&rdquo;</p>
<p>At the time of publishing, none of the mentioned US departments or the UK Cabinet Office had responded to Business Insider&rsquo;s request for comment.</p>
<p>The exercises were reportedly held at the US Suffolk, Va military base in June. The tests saw participants split into 14 teams and tasked to mitigate simulated attacks.</p>
<p>The final stage of the games saw the participating private companies&nbsp;ejected from the event so&nbsp;the military teams could test&nbsp;cyber &ldquo;response actions,&rdquo; which is a codeword for counterattacks.</p>
<p>The US is one of many countries believed to be developing cyber weapons. The US has constantly accused China of developing and using cyber weapons against it.</p>
<p>Democratic presidential candidate <a href="http://www.businessinsider.com/r-clinton-accuses-china-of-hacking-efforts-2015-7" title="Hillary Clinton accuses China of trying to 'hack everything that doesn't move in America' Read more: http://www.businessinsider.com/r-clinton-accuses-china-of-hacking-efforts-2015-7#ixzz3f6Yv45Gh">Hillary Clinton accused China of trying to "hack into everything that doesn't move in America,"</a>&nbsp;during a speech on Saturday. And digital activist group Greatfire.org reported <a href="http://uk.businessinsider.com/china-just-revealed-a-terrifying-new-cyberweapon-2015-4" title="China just revealed a terrifying new cyberweapon">the Chinese government had developed a cyber weapon, called &ldquo;Great Cannon,&rdquo;</a> in April.</p>
<p>The US military&rsquo;s cyber offensive capabilities have been the source of ongoing international debate and the nature of the counterattack strategies and tools used during games remain unknown.&nbsp;The&nbsp;country&nbsp;is believed to have played a role developing several cyber weapons, including the Stuxnet malware.</p>
<p>Stuxnet is sabotage-focused malware that was originally caught targeting Iranian nuclear facilities in 2011. The malware is viewed as a game changer as it attempted to physically break the power plant, not shut down its IT systems.</p>
<p>Reuters reported <a href="http://uk.businessinsider.com/us-tried-stuxnet-style-campaign-against-north-korea-but-failed-2015-5" title="US tried Stuxnet-style computer virus campaign against North Korea but failed Read more: http://uk.businessinsider.com/us-tried-stuxnet-style-campaign-against-north-korea-but-failed-2015-5#ixzz3f6TRhOT0">the US tried to mount a Stuxnet-style computer virus campaign against North Korea</a> but failed in May.</p>
<p>The June war games had a focus on critical infrastructure attacks, like Stuxnet and simulated strikes on oil and gas pipelines, &ldquo;a major commercial port in the UK,&rdquo; Pentagon networks, banks and food suppliers.</p><p><a href="http://www.businessinsider.com/cyber-war-us-uk-weapons#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/kate-upton-game-of-war-not-really-free-mobile-2015-5">How you could end up spending thousands on Kate Upton's 'Game of War'</a></p> http://www.businessinsider.com/highest-risk-of-identity-theft-2015-7If you've recently done one of these 3 things, you're at a higher risk for having your identity stolenhttp://www.businessinsider.com/highest-risk-of-identity-theft-2015-7
Sun, 05 Jul 2015 14:30:00 -0400Antonia Farzan
<p><img style="float:right;" src="http://static1.businessinsider.com/image/55a15061ecad044d0a7bc1ae-1200-924/ivanka-trump-wedding-2.jpg" border="0" alt="ivanka trump wedding"></p><p>In the past year, have you bought a house, sold a house, gotten married, gotten divorced, had a child, become pregnant, lost your job, or gotten a new one?</p>
<p>If so, you have a higher risk of identity theft.</p>
<p>All of these major life events have one thing in common, according to Paige Hanson, educational programs manager at <a href="http://www.lifelock.com/">Lifelock</a>, the identity-theft-protection company: You're sharing more personal information than you normally would.</p>
<p>Take buying or selling a house, for instance. "Your paperwork passes through the hands of multiple agents and representatives," Hanson explains.</p>
<p>Those documents might include your Social Security number, date of birth, passport number, or copies of your driver's license — all information that can be used to steal your identity.</p>
<p>Homebuyers are nearly three times as likely to be a victim of identity theft as the average person, according to statistics collected by Lifelock, and sellers are almost four times as likely.</p>
<p>You may not be able to avoid giving away that kind of personal information in a real-estate transaction, Hanson says, but it's always worth asking if providing your Social Security number, for instance, is really necessary.</p>
<p>"A lot of people think that just because they've been asked for information, they have to provide it," she says. "Before automatically giving it away, ask why. A lot of times, they won't have an answer. And maybe you'll be encouraging them to change their security standards."</p>
<p>Lifelock's research has found that just about any major life change comes with the danger of identity theft:</p>
<ul>
<li><span>Your risk of getting your identity stolen is 3.5 times higher if you've been married in the past year.</span></li>
<li><span><span>Having a child or becoming pregnant increases the risk of identity theft by 2.7 times.</span></span></li>
<li><span><span><span>Either losing or starting a new job raises your risk of identity theft by 50%.&nbsp;</span></span></span></li>
<li><span><span><span><span>People who have gotten divorced or become separated in the past 12 months are 3.5 times more likely to experience identity theft.&nbsp;</span></span></span></span></li>
</ul>
<p>Often, it's not a data breach that puts your personal information out in the open — it's what you've posted yourself. Engaged couples often include details&nbsp;<span>like where they live or where they're going on honeymoon on their wedding websites, and new parents share their children's full names and birth dates on Facebook. There's also the risk of unintentionally exposing your personal data when you use public Wi-Fi networks to apply for jobs, shop online, or check dating websites. </span></p>
<p><span>So whether it's a form at the doctor's office that asks for your Social Security number or a website that wants to know your birth date, stop and think before you give that information away.&nbsp;</span><span style="line-height: 1.5em;">"People need to take active ownership in protecting themselves," Hanson says.&nbsp;</span></p><p><strong>SEE ALSO:&nbsp;<a href="http://www.businessinsider.com/what-to-do-if-you-lose-your-ss-card-2013-3" >How To Prevent Identity Theft If You Lose Your Wallet </a></strong></p>
<p><a href="http://www.businessinsider.com/highest-risk-of-identity-theft-2015-7#comments">Join the conversation about this story &#187;</a></p> <p>NOW WATCH: <a href="http://www.businessinsider.com/barbara-corcoran-keys-relationships-sex-respect-2015-4">'Shark Tank' investor: Personal and professional relationships will thrive with this one key factor</a></p>